1/* $OpenBSD: ssl_sigalgs.c,v 1.49 2024/02/03 15:58:34 beck Exp $ */
2/*
3 * Copyright (c) 2018-2020 Bob Beck <beck@openbsd.org>
4 * Copyright (c) 2021 Joel Sing <jsing@openbsd.org>
5 *
6 * Permission to use, copy, modify, and/or distribute this software for any
7 * purpose with or without fee is hereby granted, provided that the above
8 * copyright notice and this permission notice appear in all copies.
9 *
10 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
11 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
12 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
13 * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
14 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
15 * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
16 * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
17 */
18
19#include <string.h>
20#include <stdlib.h>
21
22#include <openssl/evp.h>
23#include <openssl/opensslconf.h>
24
25#include "bytestring.h"
26#include "ssl_local.h"
27#include "ssl_sigalgs.h"
28#include "tls13_internal.h"
29
30const struct ssl_sigalg sigalgs[] = {
31	{
32		.value = SIGALG_RSA_PKCS1_SHA512,
33		.key_type = EVP_PKEY_RSA,
34		.md = EVP_sha512,
35		.security_level = 5,
36	},
37	{
38		.value = SIGALG_ECDSA_SECP521R1_SHA512,
39		.key_type = EVP_PKEY_EC,
40		.md = EVP_sha512,
41		.security_level = 5,
42		.group_nid = NID_secp521r1,
43	},
44	{
45		.value = SIGALG_RSA_PKCS1_SHA384,
46		.key_type = EVP_PKEY_RSA,
47		.md = EVP_sha384,
48		.security_level = 4,
49	},
50	{
51		.value = SIGALG_ECDSA_SECP384R1_SHA384,
52		.key_type = EVP_PKEY_EC,
53		.md = EVP_sha384,
54		.security_level = 4,
55		.group_nid = NID_secp384r1,
56	},
57	{
58		.value = SIGALG_RSA_PKCS1_SHA256,
59		.key_type = EVP_PKEY_RSA,
60		.md = EVP_sha256,
61		.security_level = 3,
62	},
63	{
64		.value = SIGALG_ECDSA_SECP256R1_SHA256,
65		.key_type = EVP_PKEY_EC,
66		.md = EVP_sha256,
67		.security_level = 3,
68		.group_nid = NID_X9_62_prime256v1,
69	},
70	{
71		.value = SIGALG_RSA_PSS_RSAE_SHA256,
72		.key_type = EVP_PKEY_RSA,
73		.md = EVP_sha256,
74		.security_level = 3,
75		.flags = SIGALG_FLAG_RSA_PSS,
76	},
77	{
78		.value = SIGALG_RSA_PSS_RSAE_SHA384,
79		.key_type = EVP_PKEY_RSA,
80		.md = EVP_sha384,
81		.security_level = 4,
82		.flags = SIGALG_FLAG_RSA_PSS,
83	},
84	{
85		.value = SIGALG_RSA_PSS_RSAE_SHA512,
86		.key_type = EVP_PKEY_RSA,
87		.md = EVP_sha512,
88		.security_level = 5,
89		.flags = SIGALG_FLAG_RSA_PSS,
90	},
91	{
92		.value = SIGALG_RSA_PSS_PSS_SHA256,
93		.key_type = EVP_PKEY_RSA,
94		.md = EVP_sha256,
95		.security_level = 3,
96		.flags = SIGALG_FLAG_RSA_PSS,
97	},
98	{
99		.value = SIGALG_RSA_PSS_PSS_SHA384,
100		.key_type = EVP_PKEY_RSA,
101		.md = EVP_sha384,
102		.security_level = 4,
103		.flags = SIGALG_FLAG_RSA_PSS,
104	},
105	{
106		.value = SIGALG_RSA_PSS_PSS_SHA512,
107		.key_type = EVP_PKEY_RSA,
108		.md = EVP_sha512,
109		.security_level = 5,
110		.flags = SIGALG_FLAG_RSA_PSS,
111	},
112	{
113		.value = SIGALG_RSA_PKCS1_SHA224,
114		.key_type = EVP_PKEY_RSA,
115		.md = EVP_sha224,
116		.security_level = 2,
117	},
118	{
119		.value = SIGALG_ECDSA_SECP224R1_SHA224,
120		.key_type = EVP_PKEY_EC,
121		.md = EVP_sha224,
122		.security_level = 2,
123	},
124	{
125		.value = SIGALG_RSA_PKCS1_SHA1,
126		.key_type = EVP_PKEY_RSA,
127		.md = EVP_sha1,
128		.security_level = 1,
129	},
130	{
131		.value = SIGALG_ECDSA_SHA1,
132		.key_type = EVP_PKEY_EC,
133		.md = EVP_sha1,
134		.security_level = 1,
135	},
136	{
137		.value = SIGALG_RSA_PKCS1_MD5_SHA1,
138		.key_type = EVP_PKEY_RSA,
139		.md = EVP_md5_sha1,
140		.security_level = 1,
141	},
142	{
143		.value = SIGALG_NONE,
144	},
145};
146
147/* Sigalgs for TLSv1.3, in preference order. */
148const uint16_t tls13_sigalgs[] = {
149	SIGALG_RSA_PSS_RSAE_SHA512,
150	SIGALG_RSA_PKCS1_SHA512,
151	SIGALG_ECDSA_SECP521R1_SHA512,
152	SIGALG_RSA_PSS_RSAE_SHA384,
153	SIGALG_RSA_PKCS1_SHA384,
154	SIGALG_ECDSA_SECP384R1_SHA384,
155	SIGALG_RSA_PSS_RSAE_SHA256,
156	SIGALG_RSA_PKCS1_SHA256,
157	SIGALG_ECDSA_SECP256R1_SHA256,
158};
159const size_t tls13_sigalgs_len = (sizeof(tls13_sigalgs) / sizeof(tls13_sigalgs[0]));
160
161/* Sigalgs for TLSv1.2, in preference order. */
162const uint16_t tls12_sigalgs[] = {
163	SIGALG_RSA_PSS_RSAE_SHA512,
164	SIGALG_RSA_PKCS1_SHA512,
165	SIGALG_ECDSA_SECP521R1_SHA512,
166	SIGALG_RSA_PSS_RSAE_SHA384,
167	SIGALG_RSA_PKCS1_SHA384,
168	SIGALG_ECDSA_SECP384R1_SHA384,
169	SIGALG_RSA_PSS_RSAE_SHA256,
170	SIGALG_RSA_PKCS1_SHA256,
171	SIGALG_ECDSA_SECP256R1_SHA256,
172	SIGALG_RSA_PKCS1_SHA1, /* XXX */
173	SIGALG_ECDSA_SHA1,     /* XXX */
174};
175const size_t tls12_sigalgs_len = (sizeof(tls12_sigalgs) / sizeof(tls12_sigalgs[0]));
176
177static void
178ssl_sigalgs_for_version(uint16_t tls_version, const uint16_t **out_values,
179    size_t *out_len)
180{
181	if (tls_version >= TLS1_3_VERSION) {
182		*out_values = tls13_sigalgs;
183		*out_len = tls13_sigalgs_len;
184	} else {
185		*out_values = tls12_sigalgs;
186		*out_len = tls12_sigalgs_len;
187	}
188}
189
190static const struct ssl_sigalg *
191ssl_sigalg_lookup(uint16_t value)
192{
193	int i;
194
195	for (i = 0; sigalgs[i].value != SIGALG_NONE; i++) {
196		if (sigalgs[i].value == value)
197			return &sigalgs[i];
198	}
199
200	return NULL;
201}
202
203static const struct ssl_sigalg *
204ssl_sigalg_from_value(SSL *s, uint16_t value)
205{
206	const uint16_t *values;
207	size_t len;
208	int i;
209
210	ssl_sigalgs_for_version(s->s3->hs.negotiated_tls_version,
211	    &values, &len);
212
213	for (i = 0; i < len; i++) {
214		if (values[i] == value)
215			return ssl_sigalg_lookup(value);
216	}
217
218	return NULL;
219}
220
221int
222ssl_sigalgs_build(uint16_t tls_version, CBB *cbb, int security_level)
223{
224	const struct ssl_sigalg *sigalg;
225	const uint16_t *values;
226	size_t len;
227	size_t i;
228	int ret = 0;
229
230	ssl_sigalgs_for_version(tls_version, &values, &len);
231
232	/* Add values in order as long as they are supported. */
233	for (i = 0; i < len; i++) {
234		/* Do not allow the legacy value for < 1.2 to be used. */
235		if (values[i] == SIGALG_RSA_PKCS1_MD5_SHA1)
236			return 0;
237		if ((sigalg = ssl_sigalg_lookup(values[i])) == NULL)
238			return 0;
239		if (sigalg->security_level < security_level)
240			continue;
241
242		if (!CBB_add_u16(cbb, values[i]))
243			return 0;
244
245		ret = 1;
246	}
247	return ret;
248}
249
250static const struct ssl_sigalg *
251ssl_sigalg_for_legacy(SSL *s, EVP_PKEY *pkey)
252{
253	if (SSL_get_security_level(s) > 1)
254		return NULL;
255
256	/* Default signature algorithms used for TLSv1.2 and earlier. */
257	switch (EVP_PKEY_id(pkey)) {
258	case EVP_PKEY_RSA:
259		if (s->s3->hs.negotiated_tls_version < TLS1_2_VERSION)
260			return ssl_sigalg_lookup(SIGALG_RSA_PKCS1_MD5_SHA1);
261		return ssl_sigalg_lookup(SIGALG_RSA_PKCS1_SHA1);
262	case EVP_PKEY_EC:
263		return ssl_sigalg_lookup(SIGALG_ECDSA_SHA1);
264	}
265	SSLerror(s, SSL_R_UNKNOWN_PKEY_TYPE);
266	return NULL;
267}
268
269static int
270ssl_sigalg_pkey_ok(SSL *s, const struct ssl_sigalg *sigalg, EVP_PKEY *pkey)
271{
272	if (sigalg == NULL || pkey == NULL)
273		return 0;
274	if (sigalg->key_type != EVP_PKEY_id(pkey))
275		return 0;
276
277	/* RSA PSS must have a sufficiently large RSA key. */
278	if ((sigalg->flags & SIGALG_FLAG_RSA_PSS)) {
279		if (EVP_PKEY_id(pkey) != EVP_PKEY_RSA ||
280		    EVP_PKEY_size(pkey) < (2 * EVP_MD_size(sigalg->md()) + 2))
281			return 0;
282	}
283
284	if (!ssl_security_sigalg_check(s, pkey))
285		return 0;
286
287	if (s->s3->hs.negotiated_tls_version < TLS1_3_VERSION)
288		return 1;
289
290	/* RSA cannot be used without PSS in TLSv1.3. */
291	if (sigalg->key_type == EVP_PKEY_RSA &&
292	    (sigalg->flags & SIGALG_FLAG_RSA_PSS) == 0)
293		return 0;
294
295	/* Ensure that group matches for EC keys. */
296	if (EVP_PKEY_id(pkey) == EVP_PKEY_EC) {
297		if (sigalg->group_nid == 0)
298			return 0;
299		if (EC_GROUP_get_curve_name(EC_KEY_get0_group(
300		    EVP_PKEY_get0_EC_KEY(pkey))) != sigalg->group_nid)
301			return 0;
302	}
303
304	return 1;
305}
306
307const struct ssl_sigalg *
308ssl_sigalg_select(SSL *s, EVP_PKEY *pkey)
309{
310	CBS cbs;
311
312	if (!SSL_USE_SIGALGS(s))
313		return ssl_sigalg_for_legacy(s, pkey);
314
315	/*
316	 * RFC 5246 allows a TLS 1.2 client to send no sigalgs extension,
317	 * in which case the server must use the default.
318	 */
319	if (s->s3->hs.negotiated_tls_version < TLS1_3_VERSION &&
320	    s->s3->hs.sigalgs == NULL)
321		return ssl_sigalg_for_legacy(s, pkey);
322
323	/*
324	 * If we get here, we have client or server sent sigalgs, use one.
325	 */
326	CBS_init(&cbs, s->s3->hs.sigalgs, s->s3->hs.sigalgs_len);
327	while (CBS_len(&cbs) > 0) {
328		const struct ssl_sigalg *sigalg;
329		uint16_t sigalg_value;
330
331		if (!CBS_get_u16(&cbs, &sigalg_value))
332			return NULL;
333
334		if ((sigalg = ssl_sigalg_from_value(s, sigalg_value)) == NULL)
335			continue;
336		if (ssl_sigalg_pkey_ok(s, sigalg, pkey))
337			return sigalg;
338	}
339
340	SSLerror(s, SSL_R_UNKNOWN_PKEY_TYPE);
341	return NULL;
342}
343
344const struct ssl_sigalg *
345ssl_sigalg_for_peer(SSL *s, EVP_PKEY *pkey, uint16_t sigalg_value)
346{
347	const struct ssl_sigalg *sigalg;
348
349	if (!SSL_USE_SIGALGS(s))
350		return ssl_sigalg_for_legacy(s, pkey);
351
352	if ((sigalg = ssl_sigalg_from_value(s, sigalg_value)) == NULL) {
353		SSLerror(s, SSL_R_UNKNOWN_DIGEST);
354		return NULL;
355	}
356	if (!ssl_sigalg_pkey_ok(s, sigalg, pkey)) {
357		SSLerror(s, SSL_R_WRONG_SIGNATURE_TYPE);
358		return NULL;
359	}
360
361	return sigalg;
362}
363